NAME¶
desproxy - a TCP tunnel for HTTP proxies
SYNOPSIS¶
desproxy remote_host remote_port proxy_host proxy_port local_port
OPTIONS¶
None.
DESCRIPTION¶
HTTP proxies are network servers that are used to give HTTP (web) access to
computers that are not connected to the Internet. This is a typical scenario
in corporate networks and recently in home networks too. HTTP proxies connect
to the Internet either directly or via a parent proxy (which in fact connects
to the Internet directly or via another parent proxy, and so on...)
HTTP clients (web browsers) use HTTP proxies to request web pages; the HTTP
server just forwards those request to the destination server. All the
negotiation is done via the HTTP protocol, which is designed just to carry
HTTP requests and no generic (TCP/IP) traffic. That is why you can't
(normally) use Internet applications beside your web server if you are behind
a HTTP proxy.
That is what desproxy is good for. Desproxy is a TCP tunnel, which means
desproxy can forward TCP/IP traffic via a HTTP proxy. Desproxy uses a HTTP/1.1
method (CONNECT) to establish TCP/IP connections on demand. CONNECT is used
for SSL connections when accessing to secure sites, so if you can access sites
that support SSL (www.hotmail.com for example) you can use desproxy.
Not all IP (Internet) traffic is just TCP/IP. In fact there are two more
protocols widely used in the Internet not supported by desproxy: UDP and ICMP:
- •
- ICMP is used to manage large IP networks. The only
application using ICMP you may miss is ping.
- •
- UDP is an unreliable connection-less fast transport
protocol, mostly used in network games and other applications that need
low latency network traffic. Notably DNS uses UDP packets for fast
delivery.
Will desproxy work with my HTTP proxy?¶
Short answer: just give it a try
Long answer: desproxy should work with every HTTP proxy, with the following
exceptions:
- •
- MS Proxies with NTLM authentication. NTLM is a proprietary
authentication method from Microsoft, not a standard authentication
method. Maybe in the future desproxy will support NTLM authentication, but
currently it doesn't.
- •
- HTTP/1.0 Proxies. Desproxy needs the CONNECT method, which
is only available from HTTP/1.1 protocol version. It's very unlikely your
proxy doesn't accept HTTP/1.1 requests.
- •
- HTTP/1.1 Proxies without the CONNECT method. Maybe your
network administrator deactivated CONNECT support in the proxy, or maybe
CONNECT is restricted to the HTTPS port (443).
Assumptions¶
Let's assume the following:
- •
- your HTTP proxy host name is "proxy" and its
address is "192.0.0.1"
- •
- your HTTP proxy port is "8080"
- •
- your HTTP proxy doesn't need authentication. It case you
need HTTP authentication, please read [2]this.
- •
- your system console will be a terminal (xterm, the console
or a virtual terminal) if you are running Linux, *BSD or other UN*X
About connections¶
Imagine you need a network application that uses only one TCP/IP connection with
just one server. That's the case of IRC in which you connect to an IRC server
or ssh where you tipically connect just to one UNIX computer at a time. That's
what I called a "static connection".
Of course that's not the case of a web browser or a file sharing program, both
of them doing several connections at a time to different computers. That's
what I call "dynamic connections".
STATIC CONNECTIONS EXAMPLES¶
item How to use desproxy to connect to IRC¶
Suppose you want to connect to IRC using irc.undernet.org port 6667 as your IRC
server. First you have to start a system console (see Assumptions above for
details) and type
desproxy irc.undernet.org 6667 proxy 8080 1080
That should start desproxy, giving you the copyright notice along with some
information. The following is a screen capture from desproxy 0.0.23
-----------------------------------
desproxy 0.0.23
(c) Miguelanxo Otero Salgueiro 2001
This release brought to you patched
by Rutger Nijlunsig.
See RutgerWork.txt in documentation
for details about new features.
Great work guy!
-----------------------------------
TCP port 1080 Binded & Listening
Press ENTER to Quit
Desproxy reports it is listening in local port 1080 ready for a connection.
Open your favourite IRC client (install it first ;D) and connect to 127.0.0.1
port 1080 as your irc server (127.0.0.1 is a virtual IP, always referencing to
your local machine). Then, your IRC client should connect to desproxy. It
looks like
Connection request from 127.0.0.1, port 1220
Connecting to http proxy (proxy:8080)
Bidirectional connection established
Then you should be able to use your IRC client as if you were directly connected
to irc.undernet.org.
How to use desproxy to log in a computer using ssh¶
Suppose you have a shell account in a computer that supports secure connections
via ssh. Let's assume it's called shell.corporate.com. SSH uses port number 22
by default. So start a new system console and type:
desproxy shell.corporate.com 22 proxy 8080 1080
Then, tell your ssh client to connect to localhost (127.0.0.1) port 1080 and you
should get a ssh password prompt!
How to use desproxy to use other static clients¶
Let's assume you want to use network application X, which doesn't support HTTP
proxies but use one TCP/IP connection (like IRC and SSH). To make X work with
desproxy, you just have to 1) Search for the default port of that application
2) Search for the default server of that application and 3) Start desproxy,
passing that info as command line parameters. Format is
desproxy remote_host remote_port proxy_host proxy_port local_port
Just give a local_port of your desire, but always over 1023, cause lower ports
may need administrator privileges.
About HTTP Authentication¶
Some HTTP proxies need for security reasons a method of checking client's
identity. That's called HTTP authentication (or HTTP authorization).
Despoxy now supports Basic HTTP authentication. If your proxy needs other kind
of authentication (either Digest or NTLM) desproxy won't work.
For desproxy to work with a HTTP proxy that needs authentication, you have to
tell desproxy which username and password to use. Desproxy reads the
environment variable PROXY_USER to get that info.
Suppose your proxy username is "mayka" and your proxy password is
"007sgotLTK". Then, before using any of the desproxy programs you
should type this in your system console:
set PROXY_USER=mayka:007sgotLTK
Beware passwords can include some characters that should be escaped from the
system console. For example, if your password is "moon!=sun", and
you are running Linux, you should type
export PROXY_USER=yourusername:moon\!\=sun
Note characters "!" and "=" are escaped using the backslash
"\". If you are running MS Windows, as long as I know, you don't
have to escape any valid password character.
head1 Troubleshooting
A normal desproxy session looks like this:
$ desproxy 127.0.0.1 21 127.0.0.1 4480 2222
-----------------------------------
desproxy <version>
HTTP/1.1
(c) Miguelanxo Otero Salgueiro 2001
-----------------------------------
Listening on port 2222
Connection request from 127.0.0.1, port 1227
Connecting to http proxy (127.0.0.1:4480)
Bidirectional connection stablished
(127.0.0.1:21) <-> (localhost)
End of connection.
Here, a connection to local ftp server (127.0.0.1:21) is made by using local
proxy (127.0.0.1:4480). You can see how, after the connection is accepted,
desproxy connected to the proxy, interchanged some bytes (a FTP session) and
terminates the connection.
Desproxy is quite self explanatory about errors. Desproxy-inetd is far more
obscure, because the way inetd uses it (can't print error messages) to the
console.
Basically there are two kind of errors:
- •
- Errors reported when connecting to the proxy: the http page
showing the error is displayed.
- •
- Every other error: a short error message is displayed.
Some common HTTP errors (as reported by the proxy)
* HTTP 400 Bad Request - Some versions of desproxy (0.0.21) cause
this error (FATAL)
* HTTP 403 Forbidden - Forbidden to do that (FATAL)
* HTTP 404 Not Found - Page not found, or resource not found (MINOR)
* HTTP 405 Method not Allowed - Can't do CONNECT method (FATAL)
* HTTP 500 Internal Server Error - Maybe you're trying to connect to
a remote closed port (remote site reported connection refused)
(MINOR)
* HTTP 503 Service Unavailable -> The proxy can't reach the site
(MINOR)
* HTTP 505 HTTP Version Not Supported - CONNECT method not available
(FATAL)
* HTTP 502 Bad Gateway - Stands for "DNS lookup error" (MINOR)
(FATAL) - Forget about using desproxy, you can't surpass the proxy. (TODO) - To
do, not yet implemented. (MINOR) - Temporary fault or maybe your fault.
ENVIRONMENT¶
- PROXY_USER
- An example:
PROXY_USER=mayka:007sgotLTK
Beware passwords can include some characters that should be escaped from the
system console. For example, if your password is "moon!=sun",
and you are running Linux, you should type
- PROXY_USER
- An example:
PROXY_USER=yourusername:moon\!\=sun
Note characters "!" and "=" are escaped using the
backslash "\".
FILES¶
None.
SEE ALSO¶
dnsproxy-dns(1),
dnsproxy-inetd(1),
dnsproxy-socksserver(1),
connect(1)
AUTHORS¶
This manual page was written by Jari Aalto <jari.aalto@cante.net>, for the
Debian GNU system (but may be used by others). Released under license GPL v2
or, at your option, any later version.